From: Jesse Gross <je...@nicira.com>
When collecting TCP flags we check that the IP header indicates that
a TCP header is present but not that the packet is actually long
enough to contain the header. This adds a check to prevent reading
off the end of the packet.
In practice, this is only likely to result in reading of bad data and
not a crash due to the presence of struct skb_shared_info at the end
of the packet.
This is a crossport of commit 9c47b45a3bb56009bf2553c493d097eeadd7e5c2
from master.
Signed-off-by: Jesse Gross <je...@nicira.com>
Acked-by: Pravin B Shelar <pshe...@nicira.com>
---
datapath/flow.c | 3 ++-
lib/dpif-netdev.c | 3 ++-
2 files changed, 4 insertions(+), 2 deletions(-)
diff --git a/datapath/flow.c b/datapath/flow.c
index c6f591a..06df0f6 100644
--- a/datapath/flow.c
+++ b/datapath/flow.c
@@ -239,7 +239,8 @@ void ovs_flow_used(struct sw_flow *flow, struct sk_buff
*skb)
u8 tcp_flags = 0;
if (flow->key.eth.type == htons(ETH_P_IP) &&
- flow->key.ip.proto == IPPROTO_TCP) {
+ flow->key.ip.proto == IPPROTO_TCP &&
+ likely(skb->len >= skb_transport_offset(skb) + sizeof(struct
tcphdr))) {
u8 *tcp = (u8 *)tcp_hdr(skb);
tcp_flags = *(tcp + TCP_FLAGS_OFFSET) & TCP_FLAG_MASK;
}
diff --git a/lib/dpif-netdev.c b/lib/dpif-netdev.c
index 67b5189..0f93f96 100644
--- a/lib/dpif-netdev.c
+++ b/lib/dpif-netdev.c
@@ -987,7 +987,8 @@ dp_netdev_flow_used(struct dp_netdev_flow *flow, struct
flow *key,
flow->used = time_msec();
flow->packet_count++;
flow->byte_count += packet->size;
- if (key->dl_type == htons(ETH_TYPE_IP) && key->nw_proto == IPPROTO_TCP) {
+ if (key->dl_type == htons(ETH_TYPE_IP) &&
+ key->nw_proto == IPPROTO_TCP && packet->l7) {
struct tcp_header *th = packet->l4;
flow->tcp_ctl |= th->tcp_ctl;
}
--
1.7.2.5
_______________________________________________
dev mailing list
dev@openvswitch.org
http://openvswitch.org/mailman/listinfo/dev
